Wednesday, November 19, 2008

Corporate Identity Theft Revisited

Last year I did a post in which I speculated on whether we really need corporate identity theft statutes (among other things). As you may know, most identity theft (and identity fraud) statutes make it a crime to steal a real person’s – a human being’s – identity.

I think they take this approach because the theft of the identities of real human beings has been the problem the law and other aspects of our societies have been dealing with since it became apparent that you can misappropriate what statutes usually refer to as “personal identifying information.” Most, if not all, of the identity theft/fraud statutes do not explicitly say they only apply to individuals, but they achieve that effect by defining “personal identifying information” as things like Social Security numbers, birth dates, mother’s maiden name, driver’s license numbers, etc.

In the earlier post, I talked about a case in which a paralegal effectively stole the identity of a law firm, a corporate entity. Since she was charged with grand larceny, the issue of identity theft did not (and presumably could not have) come up.

After I wrote that post, the Georgia Court of Appeals decided a case involving corporate identity theft. The case is Lee v. State, 283 Ga. App. 826, 642 S.E.2d 876 (2007) and here are the facts:

Lee used to work for Snelling Personnel Services, a company that provides temporary workers for businesses. Lee had received payroll checks from Snelling and had kept in contact with the company to update his file, most recently in August 2004. On December 6, 2004, someone using the fictitious name of James Strobridge ordered 500 Snelling payroll checks from NEBS Business Forms in Massachusetts. The order was placed from Lee's cellular telephone and the address to which the checks were to be shipped is Lee's home address of 17 Mikell Street in Statesboro.

Four days later, on December 10, a second call was made from Lee's telephone to NEBS, inquiring about the status of the order. That same day, the shipment of the 500 payroll checks to be delivered to Lee's house arrived in Statesboro. The delivery driver, however, recognized that the Mikell Street address is a private residence and he knew that Snelling's office is actually located on South Zetterower Avenue; so he delivered the shipment to the business office on South Zetterower.

No one at Snelling had ordered the checks, which contain the number of a Snelling bank account that, on average, carries an $80,000 balance. Snelling's branch manager called the police. Upon discovering that the fraudulent order had been placed from Lee's phone and was to be sent to his address, the police arrested Lee.

Lee v. State, supra.

Lee was charged with identity fraud under Georgia Code § 16-9-121. At the time, this statute read as follows:

A person commits the offense of identity fraud when without the authorization or permission of a person with the intent unlawfully to appropriate resources of or cause physical harm to that person, or of any other person, to his or her own use or to the use of a third party he or she:

(1) Obtains or records identifying information of a person which would assist in accessing the resources of that person or any other person; or

(2) Accesses or attempts to access the resources of a person through the use of identifying information.

The language in the opinion is a little murky, but I gather that Lee argued he could not be guilty of identity fraud because, as I noted earlier, the crime is normally considered to be committed only when someone misappropriates the identity of a real person. Here, the identity that was stolen was that of a corporation – Snelling.

I think Lee must have made this argument because the Georgia Court of Appeals explained that

the applicable definition of `person’ for all of Title 16 is found in [Georgia Code] § 16-1-3(12), which states that: `”‘Person’ means an individual, a public or private corporation, an incorporated association, government, government agency, partnership, or unincorporated association.”’ Accordingly, Snelling is a `person’ under the identity fraud statute, and there is sufficient evidence from which a rational trier of fact could have found beyond a reasonable doubt that Lee is guilty of identity fraud in that he attempted to access Snelling's resources through the use of its bank account information and the fraudulent payroll checks.

Lee v. State, supra. The court therefore affirmed his conviction.

I actually think that’s a good outcome. Lee could probably also have been charged with fraud, but it seems to me that identity fraud (or identity theft) really captures what he did: He misappropriated and misused Snelling’s “Identifying information.” In a footnote the court noted that under Georgia Code § 16-9-120(4)(D) and (E), “the term `identifying information’ as used in the identity fraud statute includes checking and savings account numbers.” Lee v. State, supra.

Since I actually this is a good outcome, I’m mystified by the fact that it won’t work anymore, at least not in Georgia. Effective May 24, 2007, the Georgia legislature changed the state’s identity theft statute so it now reads as follows:

(a) A person commits the offense of identity fraud when he or she willfully and fraudulently:

(1) Without authorization or consent, uses or possesses with intent to fraudulently use, identifying information concerning an individual;

(2) Uses identifying information of an individual under 18 years old over whom he or she exercises custodial authority;

(4) Creates, uses, or possesses with intent to fraudulently use, any counterfeit or fictitious identifying information concerning a fictitious individual with intent to use such . . . information for the purpose of committing or facilitating . . . a crime or fraud on another person; or

(5) Without authorization or consent, creates, uses, or possesses with intent to fraudulently use, any counterfeit or fictitious identifying information concerning a real individual with intent to use such . . . information for the purpose of committing or facilitating the commission of a crime or fraud on another person.

Georgia Code § 16-9-121 (as revised). As you can see from the definition of "person" quoted above, the law regards an "individual" as a human being, i.e., not as a corporate or other artificial legal entity.

I wonder why the Georgia legislature changed the statute. The original version could be used to prosecute identity theft/fraud directed at an individual; its advantage what that it could also be used to prosecute the kind of corporate identity theft at issue in the Lee case. Since I can’t find an explanation in the legislative history of the act that revised the statute, or anywhere else, I guess I’ll just have to wonder.